![[SpamCop.net - protecting the internet through technology]](http://news.spamcop.net/newlogo.jpg)
[SpamCop-List]
Re: unreported Japanese spam from <info@sukiya-nen.com>
Philippe Verdy (n.o-s.p.a.m+abuse)
verdy_p at wanadoo.fr
Wed Dec 14 02:06:02 EST 2005
"Mike Easter" <MikeE at ster.invalid> a écrit dans le message de news:
dnnqko$5re$1 at news.spamcop.net...
> Philippe Verdy wrote:
> www.spamcop.net/sc?id=z840985084zbd706a6876f266d6c0221e5addf19979z
>>
>> Too many links, spamvertized websites not reported:
>
> Under my recommended optional reporter preference, all of those links
> [or none of them] would/could have been passed along to sc-surbl, and no
> SC resources would have been spend performing all of those useless
> resolutions, which turned out to not be good for anything anyway.
>
> By my reporter option, none of the spamvertisers would have been
> notified, but instead all of the notifies would have gone to a devnull
> based on their domainname.
>
> I didn't look at your tracker because I saw what was in .spam -- so it
> wouldn't be possible for someone who didn't have the char set and
> recognized .jp to be able to properly discern the IBs.
I found no way to transmit this message in .spam exactly like the one I
received, because once encoded, it genererated too long lines that may upper
news server rejects. Unfortunately, I can't choose the same 7-bit
ISO-2022-JP for sending the message, so the message is full of escape
sequences that don't cross my news server. If I encode the exact ASCII only
content, then the ESCAPE characters present in the spam are translated into
8-bit form using quoted printable, and this generates too long lines (and
there's no way to recover from that error because lines are not splitted as
they should, using quoted printable, to bypass this limit, notably in lines
that don't contain any space).
I see no way to transmit an exact copy of the mailI received to your
newsserver.
Anyway, there are enough evidence, by the number of links related to the
same domain, that sukiya-nen.com is spamming, and that its sender is
accurate (the other links seem to be links to affiliation programs).
So these spams without spaces are a problem, and this will allow spammers in
chinese, japanese, korean to easily avoiding reporting. After saying that,
the same technic becomes applicable for other languages, including English
if they replace all spacesby ideographic spaces, and change to full-width
ASCII, sent in a ISO-2022 charset.
This looks like a way to prevent reporting of spamvertized sites (so all we
canreport if one of the millions of open-proxies running in PCs worldwide
infected by viral spamware, those being the least effective to close after
abuse reports, because their users are not even aware that their PC is
harvested this way to relay spam).
More information about the SpamCop-List
mailing list